Assurance IT invited our favorite ethical hacker, Laurent Desaulniers. In this episode, Laurent Desaulniers, Security Cloud Manager, and co-founder of Assurance IT, Luigi Tiano, discuss:
1. What does ethical hacking really mean?
2. Should pentests be done multiple times per year?
3. Who was Mafia Boy?
4. How did he give ethical hacking a bad name?
5. What will the lack of IT talent result in?
6. The truth behind the ethical hacking community
7. What are some ways to get started in ethical hacking?
8. How do you identify great hacking talent?
9. The #1 question to ask ethical hackers in interviews.
10. How much money you can make as an ethical hacker.
BONUS TOPICS
What schools should really be teaching about tech?
Resources for learning cyber security.
Resources:
Laurent Desaulniers’s LinkedIn: https://www.linkedin.com/in/laurentdesaulniers/
Luigi Tiano’s LinkedIn: https://www.linkedin.com/in/luigitiano/
Assurance IT Website: http://www.assuranceit.ca/
About Laurent Desaulniers:
Laurent Desaulniers combines a strong technical experience with creative thinking to achieve elegant solutions with a passion for security, especially forensic, web and penetration testing.
Laurent Desaulniers is knowledgeable in the following technologies :
- Operating systems: Linux (Ubuntu/Debian) , Windows (2008, 2003 Server, Windows 2000 Server), Cisco IOS
- Programming languages: PHP, Javascript, Python, Java (J2EE, EJB3, Servlet, Swing), JSP, Struts
- Framework: PCI-DSS, ISO-27001, ISO27034, ISO17799, ISO13335, ITIL, COBIT.
- Methodology: OSSTM, OWASP, OCTAVE
- Security: IDS systems, Honeypots, Penetration Testing
Specialties: Forensic, Web application intrusion, Vulnerability Analysis
About 10 Questions to Cyber Resilience:
Twice per month, learn about how IT leaders are strengthening their cyber security practices. Every episode comprises of 10 questions that get you one step closer to cyber resilience. Subscribe to stay up-to-date with hot topics in cyber security.
About Assurance IT:
Assurance IT (www.assuranceit.ca) specializing in data protection and data privacy for the mid-market in Canada, since 2011. The Montreal-based company’s unique approach to helping customers become cyber resilient is called the PPR Methodology which stands for Prepare, Protect and Recover. Based on industry best practices, the PPR Methodology is an easier way to achieve cyber security and compliance objectives.
Thanks for joining us here
Speaker:today, Laurent, on our podcast.
Speaker:Really excited to have you on.
Speaker:Let's go ahead and start Laurent.
Speaker:Who are you, what do
Speaker:you do, and what got you
Speaker:to where you are today?
Speaker:So my name is Laurent Desaulniers.
Speaker:I'm a vice president at GoSecure.
Speaker:I manage two teams, so I manage
Speaker:the incident response team as well
Speaker:as the penetration testing team.
Speaker:So I have a team that breaks
Speaker:into building applications that
Speaker:does all the hacking stuff.
Speaker:Whereas I have a team that answers
Speaker:this problem and try to solves
Speaker:it on behalf of our client.
Speaker:So that's basically it.
Speaker:What I'm doing I've been doing
Speaker:this for 15 to 20 years, depending
Speaker:how you count and I've been
Speaker:also been lucky to be allowed
Speaker:to teach, so I've taught this in
Speaker:three universities in Montreal.
Speaker:So that's pretty much all there is.
Speaker:And who do you work
Speaker:for today, Laurent?
Speaker:I work for GoSecure which is
Speaker:a MXDR and a service company.
Speaker:So we're doing pen testing
Speaker:and also managing xdr.
Speaker:So managing all the endpoints and
Speaker:making detection and response.
Speaker:I noticed that if I look back
Speaker:at your profile, you've been
Speaker:doing this a very long time.
Speaker:And you're actually
Speaker:pretty young guy.
Speaker:So it's pretty interesting.
Speaker:You've probably seen a
Speaker:tremendous evolution of
Speaker:security happen over the years.
Speaker:My first question I have
Speaker:for you is a lot of people
Speaker:talk about ethical hacking.
Speaker:So can, can Laurent really
Speaker:simplify what is ethical hacking?
Speaker:So ethical hacking, ethical
Speaker:is at least important, if not
Speaker:much more so than hacking.
Speaker:So what we're doing mostly is
Speaker:being hired to break into a system.
Speaker:And we do it based on what are
Speaker:called rules of engagement.
Speaker:So we make sure we follow, respect
Speaker:the rules, we don't actually
Speaker:break things for the client,
Speaker:and that's what we're doing.
Speaker:The ethical aspect though
Speaker:is super important.
Speaker:Think about the level of trust
Speaker:the company needs to have in
Speaker:you, to allow you to perform
Speaker:these type of tests or get access
Speaker:to passport data or get access
Speaker:to social security numbers.
Speaker:As a tester, you need to be
Speaker:above doubt and above suspicion
Speaker:for any form of testing, and
Speaker:that's the only way you can
Speaker:get business is by being above
Speaker:reproach and above any doubt
Speaker:regarding your ethical integrity.
Speaker:So in ethical hacking, there's a
Speaker:hacking part and ethical part, and
Speaker:some of it is what we're doing.
Speaker:And in your opinion, ethical
Speaker:hacking, does this apply to
Speaker:small business, large business?
Speaker:Who should be taking on
Speaker:or actually requesting an
Speaker:ethical hacking service?
Speaker:Nowadays we see more and
Speaker:more pen testing performed
Speaker:across all systems.
Speaker:It started more in the
Speaker:where there was money.
Speaker:So banks, for example, like early
Speaker:2000, mostly banks and militaries
Speaker:were performing pen testing.
Speaker:Now with compliance framework
Speaker:and people say Bill 25 in Quebec
Speaker:but there's one in British Columbia
Speaker:as well that now makes it mandatory
Speaker:to have protection, there's gdpr.
Speaker:So now there's more
Speaker:and more privacy based
Speaker:compliance rules and laws.
Speaker:That is one reason why there
Speaker:is more and more pen testing.
Speaker:Same for credit card data
Speaker:compliance based like P C
Speaker:I, for example, that also
Speaker:makes pen testing mandatory
Speaker:for these industries.
Speaker:So I think the main drive
Speaker:across organizations for pen
Speaker:testing is still compliance, but
Speaker:we're seeing now more and more
Speaker:companies doing risk management,
Speaker:they don't wanna do it just to
Speaker:comply to the framework, but
Speaker:they wanna do it to find their
Speaker:actual risk and be able to find
Speaker:ways to mitigate these problems,
Speaker:mitigate their risk.
Speaker:We see that often now.
Speaker:And oftentimes you
Speaker:mentioned compliance.
Speaker:We're seeing a lot more from the
Speaker:cyber insurance perspective where
Speaker:cyber insurance companies are
Speaker:forcing companies who may not have
Speaker:the same maturity level as those
Speaker:companies you mentioned earlier.
Speaker:The cyber insurance companies
Speaker:are forcing enterprises to
Speaker:just become more mature.
Speaker:And Ethical hacking is obviously
Speaker:a fundamental way for companies
Speaker:to really get an understanding of
Speaker:where they are in their process.
Speaker:Is that an accurate statement?
Speaker:It's absolutely correct.
Speaker:Insurance has been a big
Speaker:driver, but there's a big
Speaker:change in cyber insurance.
Speaker:I think the industry is becoming
Speaker:more mature and few years ago
Speaker:it was you sign a contract,
Speaker:sent a file, you were done.
Speaker:Now there's much more audits to
Speaker:subscribe to cyber insurance,
Speaker:and I think it's a good
Speaker:thing that all these controls
Speaker:are in place better prevent
Speaker:I, I agree with that.
Speaker:And to your point, I think it's
Speaker:gonna be more difficult and I
Speaker:think it's gonna be more rigor.
Speaker:And I think it won't be one
Speaker:time a year where you sign off,
Speaker:it'll be multiple times a year
Speaker:and then on a regular basis to
Speaker:make sure that you're actually
Speaker:keeping those controls in place.
Speaker:I think that's where
Speaker:we're gonna see more.
Speaker:I don't think the insurance
Speaker:companies have what it takes
Speaker:to do that repetitively
Speaker:often enough to make sure
Speaker:their customers are in line.
Speaker:But I think at some level
Speaker:we're gonna see more of that.
Speaker:I wanna stick in the ethical
Speaker:hacking vein because you and I
Speaker:obviously, raised in Quebec here.
Speaker:And there's a very famous
Speaker:individual who I guess,
Speaker:Maybe made ethical hacking a
Speaker:little bit famous earlier on.
Speaker:And so ethical hackers,
Speaker:sometimes get a bad reputation.
Speaker:And we have a local famous
Speaker:character named Mafia Boy.
Speaker:For those who don't know,
Speaker:maybe can you remind us,
Speaker:what Mafia Boy did and how he
Speaker:impacted the industry today?
Speaker:So Michael Calce AKA Mafia
Speaker:boy was the teen in Ile Bizard
Speaker:Montreal, who performed denial
Speaker:of service on many systems.
Speaker:Yahoo was very big at a
Speaker:time and Yahoo was down
Speaker:thanks to his efforts.
Speaker:Same for eBay was also down, so he
Speaker:brought down lots of systems using
Speaker:distributed denial of service.
Speaker:If I had to qualify the
Speaker:threat Michael Calce was
Speaker:on the lower end of sophistication,
Speaker:he used a tool and there was
Speaker:little to no privacy impact that
Speaker:he didn't show much, although we
Speaker:can all agree impact was high.
Speaker:This is not what I would
Speaker:call ethical hacking,
Speaker:nor ethical, by the way.
Speaker:Cause there were no prior
Speaker:permissions nor hacking per
Speaker:se, as he mostly used the tool.
Speaker:So there's no discovery, no impact
Speaker:analysis, none of these things.
Speaker:But it's really interesting
Speaker:because when you look
Speaker:into end of the century.
Speaker:So like the 1990s that's
Speaker:how you got hired.
Speaker:So at that point, if you hacked
Speaker:into NASA and you got caught and
Speaker:you spent a few months or years in
Speaker:jail, then they knew you were good.
Speaker:Obviously you hacked into NASA.
Speaker:One could argue that if
Speaker:you got caught, perhaps
Speaker:you weren't so good.
Speaker:But at that point, that's
Speaker:how the business worked.
Speaker:keep in mind, there were no
Speaker:certifications at that point.
Speaker:There was no frameworks of ethics.
Speaker:It was barely known now the
Speaker:industry has really evolved.
Speaker:Nowadays,
Speaker:there are CTFs, there are
Speaker:certification, there are
Speaker:mentorship, there are schools.
Speaker:there are Bug Bounties.
Speaker:There's lots of ways for people
Speaker:to show their skills but at that
Speaker:time, that's how people got hired
Speaker:was by breaking into systems.
Speaker:It's a really different it's
Speaker:not 30 more years ago, but yeah.
Speaker:That's how people got it.
Speaker:Yeah.
Speaker:People forget.
Speaker:So Mafia Boy, I think he hit those
Speaker:companies in I think 2000, right?
Speaker:Yeah.
Speaker:And the probably there wasn't the
Speaker:level of sophistication in terms
Speaker:of security as there is today.
Speaker:And to your point, I think
Speaker:his attack was a really low
Speaker:level, not really sophisticated
Speaker:way of attacking systems.
Speaker:That's absolutely correct.
Speaker:And that's how we've seen that
Speaker:the industry evolve over time.
Speaker:We talk a lot about ethical
Speaker:hacking and the, the
Speaker:industry and, and the field.
Speaker:From my vantage point and, talking
Speaker:with customers and, I wanna
Speaker:get your perspective on this
Speaker:is there a shortage of talent
Speaker:out there today as we speak?
Speaker:There's a shortage in
Speaker:ethical hacking, but there's
Speaker:a shortage in governance.
Speaker:There's a shortage in architecture.
Speaker:There's a shortage in CIS admins,
Speaker:in DBAs, in software developers.
Speaker:Yeah, there's lots of shortages
Speaker:and these things have an
Speaker:impact because say you have
Speaker:your system administrators have
Speaker:more work then perhaps patching or
Speaker:security configuration will be less
Speaker:of a priority over other things
Speaker:that are either more related to
Speaker:the mission or of the organization
Speaker:or more business critical.
Speaker:So that opens more
Speaker:doors for a hacker.
Speaker:So your threat increases.
Speaker:So not only I feel not enough
Speaker:people to perform these
Speaker:tests and it's difficult to
Speaker:come with the right level of
Speaker:training, but also the lack
Speaker:of the database administrator.
Speaker:System administrator
Speaker:also opens more door.
Speaker:So it's like a catch 22 where the
Speaker:lack of people creates a problem.
Speaker:Interesting.
Speaker:And then we see that
Speaker:across the board.
Speaker:So if we look at specifically
Speaker:though ethical hacking, cause we
Speaker:wanna educate our audience here.
Speaker:Ethical hacking.
Speaker:How has that progressed from
Speaker:your early days till now?
Speaker:Have you seen an uptick or
Speaker:an increase in interest?
Speaker:Is it a domain where, it's
Speaker:easy to access the tools.
Speaker:There's obviously a growing
Speaker:community, so maybe talk
Speaker:to us a little bit about
Speaker:how ethical hacking is
Speaker:progress in the community.
Speaker:Let me first say that the
Speaker:community in Canada is amazing.
Speaker:It's really something
Speaker:we ought to be proud of.
Speaker:Now there are many ways
Speaker:to break into computer
Speaker:security and to learn.
Speaker:One problem that I feel is
Speaker:what is called gatekeeping.
Speaker:So since security is considered
Speaker:to be very important or mission
Speaker:critical, we quite often see
Speaker:job posting for a entry level
Speaker:pen tester that require five
Speaker:to seven years of experience,
Speaker:and that's a bit insane.
Speaker:After five to seven
Speaker:years, in theory, you're
Speaker:not a beginner anymore.
Speaker:So there's lots of gating.
Speaker:It's quite difficult to break into
Speaker:computer security because of the
Speaker:way these job postings are made and
Speaker:also because the way people learn.
Speaker:Not all pen testers
Speaker:have bachelor degrees.
Speaker:Thankfully, computer security
Speaker:is something that can be
Speaker:learned by on your own with
Speaker:CTFs or capture the flags with
Speaker:competitions, with bug bounties,
Speaker:with training online, like
Speaker:Hack the Box for example.
Speaker:That's a website where you
Speaker:can learn to hack systems.
Speaker:So there's lots of ways for people
Speaker:to learn it by themselves and
Speaker:be very good despite not having
Speaker:a bachelor or master degrees.
Speaker:But with HR oftentimes,
Speaker:it doesn't match that the
Speaker:requirement oftentimes are for
Speaker:diplomas, and this is not what
Speaker:all typical pen testers have.
Speaker:There's also certifications.
Speaker:I'm a big proponent of a
Speaker:certification called O S C
Speaker:P, the Offensive Security
Speaker:Certified Professional.
Speaker:It's a hands-on exam and all the
Speaker:testers on my team are OSCPs.
Speaker:It's a requirement for my
Speaker:team cuz it's hands-on.
Speaker:So it sets the level, but
Speaker:that's one way also to learn.
Speaker:But there are also communities.
Speaker:So in Montreal there's
Speaker:MontréHack, that's a monthly
Speaker:security training, evening.
Speaker:There are DEFCON 416 in Toronto.
Speaker:There's a very big community
Speaker:in Vancouver as well.
Speaker:So there's lots of groups
Speaker:where you can learn.
Speaker:Now there's mentor-mentee.
Speaker:In Quebec we have Academos
Speaker:where we have lots of people
Speaker:who are there to help answer
Speaker:questions and be a mentor.
Speaker:There are mentorship
Speaker:opportunities as well.
Speaker:So there's lots of ways
Speaker:to get to know people and
Speaker:get to know the business.
Speaker:And there's also
Speaker:special interest group.
Speaker:There's ekka for people doing
Speaker:audit, there's OWASP, there's
Speaker:OWASP Toronto there, OWASP
Speaker:Ottawa for example, that are
Speaker:groups that focus on AppSec.
Speaker:That is also a good way to
Speaker:learn and get to know people.
Speaker:Yeah you've shared a lot of
Speaker:information and what we'll do
Speaker:is I'll probably ask you to
Speaker:send us some of those links,
Speaker:so we can include them in the
Speaker:post, cuz that's important.
Speaker:I didn't know there was such
Speaker:a huge community out there
Speaker:and it is a really important
Speaker:role in the enterprise today.
Speaker:And I'll just touch
Speaker:on something you said.
Speaker:So you're big on certifications.
Speaker:Frankly I believe the same thing.
Speaker:Obviously school going through
Speaker:the proper channels in the school
Speaker:obviously is really important.
Speaker:But I think in our field,
Speaker:if you're not constantly
Speaker:improving yourself, you can
Speaker:get outdated pretty quickly.
Speaker:So those certifications,
Speaker:are proving to your, to your
Speaker:employer and to your clients
Speaker:that you're able to keep
Speaker:up with the industry trends
Speaker:because they are ever changing
Speaker:as we've seen in our business.
Speaker:But it's one way cause
Speaker:sometimes training as well is
Speaker:a way that doesn't necessarily
Speaker:lead to certification.
Speaker:But say, when I look at the resume
Speaker:things for me that are a big plus
Speaker:are capture the flag experience.
Speaker:So CTFs, I briefly talked about it,
Speaker:it's a right hacking competition
Speaker:where you get to hack things
Speaker:legally that are made to be hacked.
Speaker:And so there are
Speaker:lots of competition.
Speaker:One is very big in
Speaker:Montreal called NorthSec.
Speaker:There's Defcon,
Speaker:there's a quite a few.
Speaker:So for me, having
Speaker:hands-on CTF experience is
Speaker:something I'm looking at.
Speaker:But also like GitHub.
Speaker:So if you have a GitHub
Speaker:or GitLab account and you
Speaker:commit code, then you make
Speaker:changes, it shows your skill.
Speaker:You're not just saying,
Speaker:I'm a developer.
Speaker:We can read your code, we
Speaker:can see what you've done.
Speaker:Being in the community is
Speaker:also something that I look at.
Speaker:And these are all techniques
Speaker:where you can show growth.
Speaker:It's also a common
Speaker:interview question.
Speaker:How do you keep up to
Speaker:date in IT security?
Speaker:I pretty much ask it in
Speaker:every interview and you
Speaker:get interesting answers.
Speaker:The one you don't wanna
Speaker:answer is, oh, I don't know.
Speaker:I don't need to or don't follow.
Speaker:Yeah, not a good answer.
Speaker:It makes your day a lot
Speaker:easier and a lot quicker.
Speaker:I can understand that.
Speaker:When did you participate in
Speaker:your first capture the flag?
Speaker:in, In 2000?
Speaker:Was there a lot of these?
Speaker:When did they start
Speaker:coming into light?
Speaker:So the team I was with and myself
Speaker:started perhaps early 2007.
Speaker:I think.
Speaker:So there was a competition in
Speaker:Montreal called, Boule de cristal.
Speaker:We did a competition in Germany
Speaker:that was very difficult.
Speaker:I was at ets or local
Speaker:University of Montreal.
Speaker:But the competition was in Germany.
Speaker:It was insane.
Speaker:I think, there were 300 teams and I
Speaker:think we finished 295 or something.
Speaker:We were really bad at that point.
Speaker:And we grew from this.
Speaker:We did the Firefox
Speaker:CTF we finished first.
Speaker:We did the Defcon Quals,
Speaker:so those are very large
Speaker:competitions and then we
Speaker:started doing more and more.
Speaker:At some point, we did one
Speaker:every other weekend roughly.
Speaker:And that's how we kept doing ctf.
Speaker:Now I'm an organizer of a ctf.
Speaker:Now I'm on the other side.
Speaker:Congratulations.
Speaker:It looks like you're really
Speaker:involved in the community, and I
Speaker:think we need more individuals like
Speaker:that, dedicated people, because, I
Speaker:think it's a win-win first of all.
Speaker:Obviously you're giving back
Speaker:to the community, but if you're
Speaker:looking for talent, you're in the
Speaker:mix of it all the time, right?
Speaker:So you know who the top
Speaker:players could potentially
Speaker:be, which is amazing.
Speaker:As an ethical hacker,
Speaker:obviously you don't start off
Speaker:day one as ethical hacker.
Speaker:I think as you mentioned, you
Speaker:need to build your experience.
Speaker:So what does a career look
Speaker:like and what can an ethical
Speaker:hacker earn on average?
Speaker:And I know it's a tough question,
Speaker:but if you can answer that.
Speaker:So these amounts are set in
Speaker:Canada because in United States
Speaker:or with very large companies, I
Speaker:know that the Microsoft of these
Speaker:worlds, or Amazon of these worlds
Speaker:sometimes have much bigger salary.
Speaker:But in Canada, roughly, an
Speaker:entry level pen tester will do
Speaker:roughly 70 to 75,000 a year.
Speaker:Mid-level, I'd say a hundred, 110.
Speaker:And I think the more senior
Speaker:10, 15 years, it might go up
Speaker:to 160,000 a year roughly.
Speaker:That's a very good living.
Speaker:That's a very good living.
Speaker:It's okay.
Speaker:There are outliers though,
Speaker:for example, bug bounty.
Speaker:So bug bounty is when some
Speaker:companies pay you to hack.
Speaker:They only pay if
Speaker:you find something.
Speaker:And we have x employees who
Speaker:now are doing surf and doing
Speaker:bug bounty, half the time
Speaker:their like doing surf and
Speaker:having a very good living and
Speaker:it's much higher than this.
Speaker:That's roughly the
Speaker:salary you can expect.
Speaker:Again, there are outliers
Speaker:for very large companies.
Speaker:Yeah, those are good numbers,
Speaker:especially, if you mentioned
Speaker:entry level to very senior.
Speaker:So it's a pretty big gap.
Speaker:But I think in IT, and any field,
Speaker:with experience I think we're
Speaker:dually paid for what we do,
Speaker:and I think organizations are
Speaker:starting to see the real value
Speaker:of IT professionals, especially
Speaker:in the security business.
Speaker:Again we wanna encourage more folks
Speaker:to get into the security space.
Speaker:Absolutely.
Speaker:Yes.
Speaker:So it leads me to my last
Speaker:question, my last point.
Speaker:But you mentioned earlier
Speaker:you were a lecturer in
Speaker:universities and schools.
Speaker:This is my opinion, and
Speaker:I'd like to get yours.
Speaker:I think we're not devoting or
Speaker:dedicating enough education
Speaker:at the lower levels of school,
Speaker:of the institutions to start
Speaker:putting this into the children's
Speaker:curriculum at some level.
Speaker:I think cybersecurity, maybe
Speaker:not necessarily cybersecurity
Speaker:but security in general about
Speaker:the digital security, I think
Speaker:needs to be employed more in
Speaker:the educational institutions.
Speaker:You lived there.
Speaker:You obviously spent some
Speaker:time there lecturing.
Speaker:What's your opinion about that
Speaker:and what can we do better to get
Speaker:more into the educational system?
Speaker:It's a very interesting thought.
Speaker:I'll try to break it
Speaker:in sub categories.
Speaker:So I was very impressed
Speaker:about what people learn in
Speaker:primary and high school now.
Speaker:There are programming
Speaker:classes and robotics classes.
Speaker:It's mostly entry level, but
Speaker:being familiar with programming
Speaker:languages, is the cornerstone
Speaker:of IT security to be able
Speaker:to craft your own systems.
Speaker:So in order to have very qualified
Speaker:internet citizens giving them
Speaker:their skills early is a very good
Speaker:thing, and this is fairly recent.
Speaker:We have yet to see what's gonna be
Speaker:the impact later on because those
Speaker:people who are in high school,
Speaker:they're not on the market yet.
Speaker:But I know there's a really
Speaker:big increase into, giving
Speaker:these types of training in
Speaker:robotics and programming.
Speaker:The people will play with
Speaker:arduinos and Raspberry Pi at
Speaker:the very early age, and I think
Speaker:this is a really exciting.
Speaker:It will change the
Speaker:market in a few years.
Speaker:Interesting perspective
Speaker:As for security,
Speaker:there are twofolds.
Speaker:I've been asked several times
Speaker:to give classes for privacy
Speaker:and intimate picture exchange
Speaker:because in high school
Speaker:that's a problem oftentimes.
Speaker:But it's more about
Speaker:privacy and awareness.
Speaker:So it's not very technical.
Speaker:It's more about be mindful
Speaker:of what you're doing, privacy
Speaker:online and these type of things,
Speaker:but it's something I'm asked
Speaker:a few times a year already and
Speaker:believe me, the kids are smart.
Speaker:It's a little bit awkward at
Speaker:first, it's an intimate subject,
Speaker:but the students are interested
Speaker:and they ask smart questions
Speaker:and they understand really well.
Speaker:I think it would be a mistake
Speaker:to underestimate their
Speaker:interest and their capacity
Speaker:to learn in that regard.
Speaker:But turning them in security at
Speaker:some point, I feel that security is
Speaker:amazing, but we don't want to scare
Speaker:people into dealing with all these
Speaker:amazing technology and programming
Speaker:and the web and making queries.
Speaker:So I think while there should be
Speaker:more awareness and more than just
Speaker:have a good password and have your
Speaker:patches on, but more about, what
Speaker:phishing looks like and what to do
Speaker:when you have phishing or what's
Speaker:important not to run as admin.
Speaker:Like more targeted advice, I think.
Speaker:At least let the kids be kids
Speaker:and perhaps wait a little bit
Speaker:longer into giving the internet
Speaker:scary part, just, I think we
Speaker:can wait a bit but give them
Speaker:IT training and that's what
Speaker:they're doing in high school
Speaker:and I'm very happy about this.
Speaker:Yeah, I like that.
Speaker:I like that.
Speaker:I never looked at it
Speaker:in that perspective.
Speaker:So the IT training is
Speaker:the foundation and not
Speaker:necessarily have to give them
Speaker:all the ugly, scary stuff.
Speaker:Correct.
Speaker:That's my opinion.
Speaker:Okay.
Speaker:No.
Speaker:Interesting.
Speaker:But you're right.
Speaker:I think if we give them the
Speaker:fundamentals of understanding
Speaker:to at least, why IT is
Speaker:important, how it enables
Speaker:them in their everyday life.
Speaker:But I think there's the aspect
Speaker:of privacy, which I think,
Speaker:without having to get too
Speaker:technical, like you mentioned.
Speaker:If you're describing the risks
Speaker:of not being private or giving
Speaker:too much information out there,
Speaker:I think that alone, without
Speaker:having to get too technical,
Speaker:should put some thought into
Speaker:their brain about, keeping
Speaker:some information to themselves.
Speaker:Cause I think that's where-
Speaker:interesting threat models,
Speaker:like one of the threat
Speaker:model is their parent.
Speaker:When you ask questions, when
Speaker:we think about privacy, you and
Speaker:I, we think about online ads.
Speaker:We think about,
Speaker:these type of things.
Speaker:But they have a very real
Speaker:business threat model.
Speaker:Their parents and their
Speaker:teachers . So when you're
Speaker:thinking about this, it gets
Speaker:really interesting, really fast.
Speaker:If you can have a talk
Speaker:with a 12 or 13 years old
Speaker:about their privacy model.
Speaker:It's interesting.
Speaker:It really is.
Speaker:Yeah.
Speaker:You've definitely put some things
Speaker:into my brain today about that.
Speaker:I appreciate that.
Speaker:Laurent, is there anything you
Speaker:wanna share before we go here?
Speaker:Because I really wanna
Speaker:respect your time.
Speaker:is there anything you wanna
Speaker:say about ethical hacking?
Speaker:What you would recommend if
Speaker:someone wants to get started,
Speaker:what you need to get started?
Speaker:Ethical hacking has two sites.
Speaker:There's oftentimes what we call
Speaker:the AppSec and the networking site.
Speaker:If you want to break into
Speaker:AppSec, there's this amazing
Speaker:book called The Web Application
Speaker:Hacker Handbook Second Edition.
Speaker:That for me, is the most
Speaker:amazing book about AppSec.
Speaker:It's hands-on, you can try it on.
Speaker:It's really something I can
Speaker:strongly advise you to read, and
Speaker:I know it's counterintuitive or
Speaker:now in 2023 and I'm saying read a
Speaker:book, but it's a very good book.
Speaker:Also, there's a website that is
Speaker:free as well called PortSwigger
Speaker:Academy, where you can try
Speaker:lots of these attacks and you
Speaker:always have three level, like
Speaker:easy, medium, and difficult.
Speaker:And the difficult
Speaker:challenges are difficult.
Speaker:So, you need to have
Speaker:your thinking cap on.
Speaker:It's a pretty difficult challenge.
Speaker:So these two things, somebody
Speaker:who went through the whole
Speaker:PortSwigger Academy application,
Speaker:for me, somebody I would certainly
Speaker:consider hiring that's for
Speaker:sure on the networking side.
Speaker:There are websites like Hack the
Speaker:Box that you might wanna try.
Speaker:The O S C P really cannot
Speaker:recommend it enough,
Speaker:although it's a bit costly.
Speaker:And yeah, that's pretty much what
Speaker:I would recommend to start into a
Speaker:computer security and find mentors.
Speaker:Reach out to me, reach out
Speaker:to you, Luigi, if you, , I
Speaker:put you on the spot.
Speaker:Sorry.
Speaker:But
Speaker:, No, no problem.
Speaker:If you're willing, I think
Speaker:reaching out to seniors people
Speaker:who know who've done it before.
Speaker:If I may I have a little
Speaker:anecdote for one minute.
Speaker:Please.
Speaker:Go ahead.
Speaker:How I got into computer
Speaker:security is interesting.
Speaker:When I was in high school,
Speaker:you need to pick what you
Speaker:want to do, and I knew I
Speaker:wanted to break into systems.
Speaker:I didn't know that it was a job
Speaker:at that point, and I wanted to
Speaker:talk with people, but didn't
Speaker:have any contacts in that field.
Speaker:Keep in mind, early 1990s,
Speaker:there were no certifications,
Speaker:there was nothing.
Speaker:So the CISSP certification
Speaker:had just started and
Speaker:the list was public.
Speaker:There were eight people
Speaker:who were CISSPs in Canada.
Speaker:As a young kid, who barely
Speaker:spoke English, I called
Speaker:these eight numbers saying,
Speaker:Hey, I wanna do hacking.
Speaker:What do I do next?
Speaker:And I got ignored by
Speaker:seven out of them.
Speaker:But one person answered.
Speaker:And that person, his name is Robert
Speaker:G, sadly, he's deceased right now.
Speaker:And he was the CSO of
Speaker:the bank of Montreal.
Speaker:So this guy took two hours with
Speaker:me and just to walk me through
Speaker:the steps of what I should
Speaker:do, should I do certification,
Speaker:should I go to university?
Speaker:And it was really worth it.
Speaker:And the reason why I'm in
Speaker:computer security, to be
Speaker:truthful, is thanks to him.
Speaker:If we can have that influence
Speaker:over other people who want to
Speaker:break into that field, I think
Speaker:we have a responsibility to do.
Speaker:That's amazing story.
Speaker:Very nice to hear.
Speaker:So there was eight CISSPs in
Speaker:the early nineties in Quebec.
Speaker:Wow.
Speaker:And how many would you
Speaker:say, roughly in Canada?
Speaker:In Canada?
Speaker:How many are there today, roughly?
Speaker:I don't, now it's public,
Speaker:but I'd say roughly.
Speaker:Perhaps 10,000.
Speaker:20,000.
Speaker:Oh wow.
Speaker:That many Wow.
Speaker:Shows how the industry's grown.
Speaker:Interesting.
Speaker:Laurent, that was a great story.
Speaker:Appreciate that.
Speaker:And you know what, if we can
Speaker:definitely be mentors to some of
Speaker:the younger folks out there, I
Speaker:would definitely, welcome that.
Speaker:Laurent, you've been
Speaker:an amazing guest.
Speaker:Keep doing what you're doing.
Speaker:I know you're protecting
Speaker:companies on a daily basis and
Speaker:GoSecure is lucky to have you.
Speaker:So I want to thank you again for
Speaker:joining us on the podcast and
Speaker:we will be in touch very soon..
Speaker:Thank you so much.
Speaker:All right, Lauren.
Speaker:Have a great day.
Speaker:Thanks.
Speaker:Bye.
Speaker:Thank you.